Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About vishalduttauk
vishalduttauk
Communicator
Member since:
11-06-2020
10-15-2025
Community Statistics
| Posts | 64 |
| Solutions | 3 |
| Karma Given | 28 |
| Karma Received | 5 |
| Member Since | 11-06-2020 |
Activity Feed
- Posted Re: Eval Expression filter ingestion actions on Splunk Enterprise. 07-22-2025 12:38 AM
- Karma Re: Eval Expression filter ingestion actions for PrewinThomas. 07-22-2025 12:37 AM
- Posted Re: Eval Expression filter ingestion actions on Splunk Enterprise. 07-18-2025 08:16 AM
- Posted Re: Eval Expression filter ingestion actions on Splunk Enterprise. 07-18-2025 08:02 AM
- Karma Re: Eval Expression filter ingestion actions for livehybrid. 07-18-2025 07:57 AM
- Posted Eval Expression filter ingestion actions on Splunk Enterprise. 07-18-2025 07:18 AM
- Posted Re: Lost AWS events after ingestion on Getting Data In. 06-19-2025 07:55 AM
- Posted Re: Ingesting Email data using Splunk Add-on for Microsoft Office 365 on All Apps and Add-ons. 06-04-2025 09:30 AM
- Karma Re: Ingesting Email data using Splunk Add-on for Microsoft Office 365 for livehybrid. 06-04-2025 09:26 AM
- Posted Ingesting Email data using Splunk Add-on for Microsoft Office 365 on All Apps and Add-ons. 06-04-2025 09:05 AM
- Posted Re: Salesforce UserLicense Events on Splunk Search. 04-08-2025 01:08 AM
- Karma Re: Salesforce UserLicense Events for livehybrid. 04-08-2025 01:03 AM
- Posted Salesforce UserLicense Events on Splunk Search. 04-04-2025 07:04 AM
- Posted Lost AWS events after ingestion on Getting Data In. 09-12-2024 01:51 AM
- Posted Tracking application of a Permission set and changes on All Apps and Add-ons. 06-25-2024 08:24 AM
- Tagged Tracking application of a Permission set and changes on All Apps and Add-ons. 06-25-2024 08:24 AM
- Tagged Tracking application of a Permission set and changes on All Apps and Add-ons. 06-25-2024 08:24 AM
- Got Karma for Push notifications stopped working. 05-23-2024 07:52 AM
- Karma Re: Push notifications stopped working for Ahmeed. 05-23-2024 07:49 AM
- Posted Push notifications stopped working on Monitoring Splunk. 05-21-2024 07:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-22-2025
12:38 AM
Thank you Prewin that has worked
... View more
07-18-2025
08:16 AM
I might have a solution now by using this statement: NOT match(_raw,"splunk.test@test.co.uk")
... View more
07-18-2025
08:02 AM
Hi @livehybrid, Here is the eval which works on the search | eval match=if(RecipientAddress="splunk.test@vwfs.co.uk",1,0) | search match=1
... View more
07-18-2025
07:18 AM
I am ingesting data from the Splunk Add on for O365. I want to use the Eval Expression filter within an ingestion action to filter what email addresses we ingest data from. Sampling the data is easy but the next bit isn't. I drop events where the RecipientAddress is not splunk.test@test.co.uk. Creating an | eval within a search is simple but creating something that works for a filter using eval expression, which drops Events is where i am struggling. Our Exchange/Entra team are having problems limiting the online mailboxes the Splunk application which is why I am looking at this workaround. Ignore the application thats tagged as we are using Enterprise 9.3.4. Can you help?
... View more
Labels
- Labels:
-
configuration
-
using Splunk Enterprise
06-19-2025
07:55 AM
index=aws but i ended up logging onto both servers and moving the whole index from "old" Splunk over to "new" Splunk
... View more
06-04-2025
09:30 AM
I have installed this one but i've not been able to get it working. I'm using the same proxy as with the Splunk Add-on for Microsoft Office 365 and I've put in an incorrect secret key but i don't get any kind of error like i do with the Splunk Add-on for Microsoft Office 365.
... View more
06-04-2025
09:05 AM
Hi there, We have an on prem Exchange mailbox which we monitor via the Exchange logs. We pick out key words from the subject line to trigger alerts. Our mailbox is moving into Exchange online so i've been working with our Azure team and managed to integrate Splunk Enterprise (on prem) with a test online mailbox and so far i am ingesting generic information about the mailbox via the Splunk Add-on for Microsoft Office 365. Information like information like Issue Warning Quota (Byte), Prohibit, Send Quota (Byte) and Prohibit Send/Receive Quota. The 2 inputs i've created are Message Trace and Mailbox (which ingests the mailbox data above). What i want to do is to ingest the emails themselves. The key information like subject, the body (if possible), from address and to address. Is this possible using is add on?
... View more
Labels
- Labels:
-
administration
-
configuration
04-08-2025
01:08 AM
Hi @livehybrid The interval is set to every 60 minutes and there are no errors logged against the internal index.
... View more
04-04-2025
07:04 AM
I have been using the Splunk Add on for Salesforce Add on for while now but i want to know if anyone else is using it and noticed if the number of events being ingesting has decreased? When i look back to December i could see i could see Splunk would ingest mutiple UserLicense events per day but now its one event every 4 days.
... View more
Labels
- Labels:
-
other
09-12-2024
01:51 AM
I am in the middle of a Splunk migration. One of the tasks is to moved data from some sourcetypes onto the new servers using the | collect index=aws sourcetype=* command.
The numbers added up after running checks. I run the same checks again a day later and the numbers no longer match up.
Source 1 ->
Old Splunk
New Splunk
Source 2 ->
Old Splunk
New Splunk
August
12,478,853
12,478,853
26,171,911
26,171,911
24 hours later
Source 1 ->
Old Splunk
New Splunk
Source 2 ->
Old Splunk
New Splunk
12,478,853
12,477,696
26,171,911
3,001,183
I've set the following stanza within the indexes.conf file on the deployment server. Also the index only contains 22gb of data. Can you help?
[aws]
coldPath = $SPLUNK_DB\$_index_name\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\$_index_name\db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB\$_index_name\thaweddb
frozenTimePeriodInSecs=94608000
... View more
06-25-2024
08:24 AM
We are already ingesting Salesforce data via the Salesforce for Splunk Add on. I have a requirement to monitor when an admin permission set has been assigned to a user and what changes that user makes. Has anyone fulfilled a similar requirement? So far i have found a list of the following objects that could provide the information i need to see when a permission set is assigned to a user (https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_permissionsetassignment.htm) but not sure how to track what changes that admin user makes. Can you help?
... View more
Labels
- Labels:
-
administration
05-21-2024
07:16 AM
1 Karma
Has anyone noticed the push notifications through the Splunk Mobile app has stopped working recently. We are using Spunk on prem, Splunk Secure Gateway set up with prod.spacebridge.spl.mobi set as the Gateway but I noticed the notifications stopped appearing on my home screen of when my iPhone was locked. Other colleagues using different devices are complaining of the same issue. I can't remember the exact date but it may have been around the 3rd May. No changes to our config have been made but i'd be interested to know if anyone else is having this issue.
... View more
Labels
- Labels:
-
splunkd
09-28-2023
08:06 AM
Thank you @ITWhisperer !! I've checked and its worked a treat as there are no duplicate propsals
... View more
09-28-2023
04:53 AM
Thank you and that has worked 👍 I've noticed we have got duplicates with our data. How can I dedup on PROPOSALNUMBER and PROPOSAL_NUMBER?
... View more
09-27-2023
08:38 AM
Thanks @ITWhisperer I can see the values in the query1 and query2 but count1 count2 diff are all showing as 0
... View more
09-27-2023
12:51 AM
Hi there,
I have a dashboard and I want to subtract the total number of events of 2 queries but not sure how to do it, can you help?
Query 1:
index=mssql sourcetype=SQL_Query source=Sales_Contracts_Activations* OR source=Sales_Contracts_Activations_BOM
Query 2:
index=mssql sourcetype=SQL_Query source=Esigns CALLBACK_STATUS="SUCCESS" STATUS=Complete
... View more
06-06-2023
04:46 AM
Hi there,
I am trying to get a rolling number whenever proposals get activated. I am able to execute the following SQL script which gets me a figure for proposals activated today using this:
select * from cr_managementinformation where activation_date >= '06-JUNE-23'
order by proposal_status
When I change the input type to Batch then i use this:
SELECT * FROM cr_managementinformation
WHERE PROPOSAL_NUMBER > ?
AND activation_date = TO_DATE(current_date)
ORDER BY PROPOSAL_NUMBER ASC
The rising number does not match the batch number. i.e. the batch number of activations today is 302 but the rising number is only 5.
Can you help?
... View more
Labels
03-28-2023
08:23 AM
I've created fields from regex expressions before but never from the source field.
This is an example of the value within the source field: \\host0000\Test\IT Information\ Data Files\Daily Reporting\Business Unit\
I would like to extract the business unit value and call it Business Unit.
I have access to create a props.conf file.
Can you help?
Kind regards,
Vishal
... View more
Labels
- Labels:
-
props.conf
03-24-2023
02:44 AM
Hi all,
I am getting data in via an API (using the add on builder) but having creating a regex which splits it into a better format rather than 1 big event. Here is an example of the event:
"@odata.context": "https://example-app-env.aa01.aaa.aaaa-ad/odata/$metadata#Jobs",
"@odata.count": 111,
"value": [
{
"Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"StartTime": "2023-01-20T14:08:34.607Z",
"EndTime": "2023-01-20T14:08:49.517Z",
"State": "Successful",
"JobPriority": "Normal",
"Source": "Agent",
"SourceType": "Agent",
"BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"Info": "Job completed",
"CreationTime": "2023-01-20T14:08:34.607Z",
"StartingScheduleId": null,
"ReleaseName": "RobotProdLogin_DEV",
"Type": "Attended",
"InputArguments": "",
"OutputArguments": "{}",
"HostMachineName": "AAAAAAAA11111",
"HasMediaRecorded": false,
"PersistenceId": null,
"ResumeVersion": null,
"StopStrategy": null,
"RuntimeType": "Development",
"RequiresUserInteraction": true,
"ReleaseVersionId": 1111,
"EntryPointPath": null,
"OrganizationUnitId": 1,
"OrganizationUnitFullyQualifiedName": "Default",
"Reference": "",
"ProcessType": "Process",
"ProfilingOptions": null,
"ResumeOnSameContext": false,
"LocalSystemAccount": "AAAAAA01\\AAA11AA",
"OrchestratorUserIdentity": null,
"Id": 00000
},
{
"Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"StartTime": "2023-01-20T14:08:34.607Z",
"EndTime": "2023-01-20T14:08:49.517Z",
"State": "Successful",
"JobPriority": "Normal",
"Source": "Agent",
"SourceType": "Agent",
"BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"Info": "Job completed",
"CreationTime": "2023-01-20T14:08:34.607Z",
"StartingScheduleId": null,
"ReleaseName": "RobotProdLogin_DEV",
"Type": "Attended",
"InputArguments": "",
"OutputArguments": "{}",
"HostMachineName": "AAAAAAAA11111",
"HasMediaRecorded": false,
"PersistenceId": null,
"ResumeVersion": null,
"StopStrategy": null,
"RuntimeType": "Development",
"RequiresUserInteraction": true,
"ReleaseVersionId": 1111,
"EntryPointPath": null,
"OrganizationUnitId": 1,
"OrganizationUnitFullyQualifiedName": "Default",
"Reference": "",
"ProcessType": "Process",
"ProfilingOptions": null,
"ResumeOnSameContext": false,
"LocalSystemAccount": "AAAAAA01\\AAA11AA",
"OrchestratorUserIdentity": null,
"Id": 00000
},
How i want it to look. Event 1
"@odata.context": "https://example-app-env.aa01.aaa.aaaa-ad/odata/$metadata#Jobs",
"@odata.count": 111,
"value": [
{
Event 2
{
"Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"StartTime": "2023-01-20T14:08:34.607Z",
"EndTime": "2023-01-20T14:08:49.517Z",
"State": "Successful",
"JobPriority": "Normal",
"Source": "Agent",
"SourceType": "Agent",
"BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"Info": "Job completed",
"CreationTime": "2023-01-20T14:08:34.607Z",
"StartingScheduleId": null,
"ReleaseName": "RobotProdLogin_DEV",
"Type": "Attended",
"InputArguments": "",
"OutputArguments": "{}",
"HostMachineName": "AAAAAAAA11111",
"HasMediaRecorded": false,
"PersistenceId": null,
"ResumeVersion": null,
"StopStrategy": null,
"RuntimeType": "Development",
"RequiresUserInteraction": true,
"ReleaseVersionId": 1111,
"EntryPointPath": null,
"OrganizationUnitId": 1,
"OrganizationUnitFullyQualifiedName": "Default",
"Reference": "",
"ProcessType": "Process",
"ProfilingOptions": null,
"ResumeOnSameContext": false,
"LocalSystemAccount": "AAAAAA01\\AAA11AA",
"OrchestratorUserIdentity": null,
"Id": 00000
},
Can you help?
... View more
Labels
- Labels:
-
props.conf
03-03-2023
05:06 AM
HI there,
I've created a multi select input called Source and the Data Configurations is set to a search and Use search results or job status as tokens is ticked (i've tried with this unticked).
The source filter shows the values I expect to see but nothing happens when I tick one or more of the options.
Not sure if the code below is relevant but I am adding it in case it helps
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "@d,now"
},
"title": "Global Time Range"
},
"input_OvTI7NW3": {
"options": {
"items": ">frame(label, value) | prepend(formattedStatics) | objects()",
"token": "ms_monMf0CU",
"defaultValue": ""
},
"title": "Source",
"type": "input.multiselect",
"dataSources": {
"primary": "ds_ESObVruQ"
},
"context": {
"formattedConfig": {
"number": {
"prefix": ""
}
},
... View more
Labels
- Labels:
-
chart
-
Dashboard Studio
02-03-2023
04:21 AM
Hi there, I am trying to ingest data which is stored within the profile of a user's AddData location: C:\Users\(User ID)\AppData\Local\UiPath\Logs but can't pull in any events. I've tried lots of different stanzas like [monitor://C:\Users\DKX*\AppData\ [monitor://C:\Users\DKX$\AppData\ [monitor://C:\Users\...\AppData\ [monitor://C:\Users\%userprofile%\AppData\ Any idea why it isn't working? I know i've not added in all my stanza attempts but could it be due to the Splunk service account not having access to that location?
... View more
Labels
- Labels:
-
inputs.conf
-
universal forwarder
12-29-2022
05:12 AM
Thanks @rrovers that has worked a treat 🙂
... View more
- Tags:
- thanks
12-29-2022
01:32 AM
Hi there, I have a search where I want to see where one date field is the same or starts before another but my search results only shows me events where both dates are the same, can you help? I am trying to find events which contains an end date that is before the created date. The data isn't create so a typical date entry would be 12112022 index=UAT sourcetype="Test_Txt_data" | eval end_date_epoch = strptime(end_date,"%d%m%Y") | eval created_date_epoch = strptime(created_date,"%d%m%Y") | where end_date_epoch <= created_date_epoch | eval end_date = strftime(end_date_epoch, "%d/%m/%Y"), created_date = strftime(created_date_epoch, "%d/%m/%Y") | table proposal, created_date, end_date
... View more
11-21-2022
07:00 AM
Thanks @yuanliu this has worked a treat! 😀
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-15-2025
08:23 AM
|
Karma given to
